I didn't attend the actual session, but my attention was grabbed by the report of Prof. Brian Collin's views, speaking at a recent Cyber Security KTN event, on the controls needed to prevent the HMRC data breach. He took the view that government information systems should inform users if they are about to do something which could put citizens' data at risk. Brian was reported as saying "The system design should never have allowed the [data loss]. They should be designed to stop people going off the edges of what is acceptable. Why are we not doing this? Because it costs."
I couldn't agree more. It's not difficult to develop intelligent software that monitors information flows and can flag such errors. And it shouldn't have to cost so much. Price points for security software are way too high. That's why so many start-up companies fail to survive. Business models for security software need to be more modest. Then, hopefully, we'd all find a win-win solution.
Comments (2)
I'm sorry but i have to completely disagree with the statement that Security Software is too expensive!
It is FAR more likely that the consultants hired to install, test and run the software are the REAL cost.
In my day to day job I work with many, many Government departments and Corporate Enterprises and in nearly every case the consultancy costs that are quoted by the Big 5 are way beyond that of the independent software vendor.
To make it worse, a lot of government departments hire these consultancies to go out and make reccomendations as to what they should do when looking for security systems! The choice, a vendor solution proven to work? Or a self built solution that is new? In nearly every case it has been the "built by consultancies" approach.
In the few cases where I have seen vendors chosen, inevitably, they have gone to whoever Gartner have put in the TOP right hand corner!
Government departments need to become a little more aware of the marketplace and a little less dependent on the Big 5 consultancies.....
Posted by Mark Fullbrook | December 1, 2008 1:29 PM
Posted on December 1, 2008 13:29
The problem with cost comes when you add security after the event rather than design it in. Thinking about security at the requirements stage is much cheaper than fixing it after implementation.
Posted by Matthew West | December 3, 2008 9:53 AM
Posted on December 3, 2008 09:53